Threat Research and Analysis

Questions & Answers

What is threat infrastructure analysis? Understand the process and methodology that powers PassiveTotal. Save time and boost your analysis!

What is Threat Infrstructure Analysis?

Threat Infrastructure Analysis is a research process that brings context to incidents and attack campaigns by identifying related entities through multiple datasets. Data sources like active/passive DNS, WHOIS, SSL certificates and other page-content attributes allow analysts to link together disparate resources to understand the full scale of an attack.

PassiveTotal has adopted this research process and collects all the necessary data into one single platform, so analysts can spend their time focusing on threats to their organizations and not data collection/processing. By incorporating Threat Infrastructure Analysis into PassiveTotal, we bring the following value to the analyst:

Saving Time

Boosting Capability

Increasing Decision Confidence

Threat Infrastructure Analysis translates into real-world value and allows smaller teams to do more with less. By bringing sourcing and enriching data into one format, PassiveTotal is able to save analysts 20 minutes per indicator analysis on average. Additionally, with PassiveTotal enterprise, analysts are able to seamlessly collaborate with each other to further reduce analysis time and instantly turn their research into actionable guidance for others on the team.

Core Data

Passive DNS

Active DNS

WHOIS

SSL Certificates

Open Source Intelligence

How does PassiveTotal enable more powerful threat infrastructure analysis? Take a look at how you can use PassiveTotal to investigate a suspicious domain on your network through one-click pivoting and asking the right questions about the results. Understand the process and methodology that powers PassiveTotal. Save time and boost your analysis!

How does PassiveTotal enable more powerful threat infrastructure analysis?

Threat Infrastructure Analysis is a research process that brings context to incidents and attack campaigns by identifying related entities through multiple datasets. Data sources like active/passive DNS, WHOIS, SSL certificates and other page-content attributes allow analysts to link together disparate resources to understand the full scale of an attack.

PassiveTotal has adopted this research process and collects all the necessary data into one single platform, so analysts can spend their time focusing on threats to their organizations and not data collection/processing. To understand of how you might investigate a threat, check out the scenario below.

FIRST: Suspicious Network Activity

Network administrators have uncovered a suspicious HTTP traffic pattern egressing the corporate network. Connections are being made to www.trendmicro-update.org and you are tasked with identifying more details for a larger investigation. Operating under the assumption that we know nothing about this domain, let’s see what we can find using PassiveTotal.

Questions to Ask

Was this domain being used for command and control or exfiltration?

What IP address was the domain resolving to at the time of discovery?

Are there any public reports or malware hashes associated with the domain?

SECOND: Search the Domain

Searching for the domain inside PassiveTotal reveals a lot of activity. Results are split up into different sections with the left being summary-based data and the right being more detailed information.

Questions to Ask

Does the heatmap indicate that the domain was active in the past six months?

Are there any patterns that stick out in the heatmap or the DNS data?

Is there a WHOIS record for the domain?

THIRD: Analyzing Summary Data

By aggregating over 12 different sources of DNS data, PassiveTotal can provide a comprehensive understanding of the domain’s activity. Using the summary pane on the left, we can identify that the domain has been active for nearly two years and has over 500 DNS records associated with it. Additionally, using community driven features, we know that the domain hasn’t been compromised and isn’t a dynamic DNS provider.

Questions to Ask

How long has the domain been in use?

Are there a large number of resolution records?

Has the domain ever been compromised?

Is the domain part of a dynamic DNS provider?

FOURTH: Reading the Heatmap

To simplify analysis and surface infrastructure patterns, PassiveTotal has developed a heatmap visual that plots the last 6 months of DNS data and includes relevant features. Without looking at the detailed data, it’s possible for an analyst to come to several conclusions about this domain.

For nearly 3 months, the domain has been resolving to non-routable infrastructure

Towards the end of May, it appears the domain was active for a period of time before becoming non-routable again suggesting something interesting happened that day

Starting in mid-July, the domain became routable again and has stayed that way until today

During the start of September, it appears two new IP addresses were seen resolving to the domain, though only one is being used as of today

Questions to Ask

Has the domain had any activity over the past six months?

Are there any patterns that could narrow the analysis timeframe?

How often are new resolution values being introduced?

Are there many address associations on particular days?

FIFTH: Whois Discovery

Available for free to all users is the latest WHOIS record for the domain. Instead of displaying each section, PassiveTotal uses a custom process to merge the record down and highlight the unique data within the record. Each field within the record becomes a pivot point to find other domains that may also share some of the same WHOIS data.

Questions to Ask

Is the domain registered with unique data?

Is the WHOIS record privacy protected?

When was the domain originally registered?

Are the nameservers being used unique?

SIXTH: Deduplicated DNS Traffic

Located below the heatmap is a table of derived DNS results that were collected from multiple sources located all over the world. When collecting results, PassiveTotal merges overlapping records and enriches all of the data with features an analyst would need to further understand the infrastructure.

Questions to Ask

Are there any patterns that make this infrastructure interesting?

How often is the domain resolving to non-routable addresses?

Does the enrichment data show any patterns or reveal anything suspicious?

SEVENTH: Related Infrastructure

From the heatmap, it’s clear that something interesting occurred on May 20th where the domain went from non-routable to routable. Hovering over the map reveals the IP address of “103.42.13.116”. Simply clicking this IP inside the DNS results causes a pivot over to a new data point for our investigation.
Similar to our previous view, we are able to identify all the domains that associated with the IP address. Taking what we learned, we can instantly glean the following:

No domains have associated with the IP in 3 months

There’s a SSL certificate meant for another domain being hosted on the server

The IP address has been seen hosting both registered and dynamic DNS domains

Beyond trendmicro-update.org, it appears that microsoft-outlook.org and registre.organiccrap.com also used this IP address

EIGHTH: SSL Certificate Discovery

Much like WHOIS records, SSL certificates provide a unique way of discovery potentially related infrastructure. PassiveTotal not only displays the current SSL certificate associated with IP addresses in a pivotable format, but has also built a history of certificate associations spanning several years.

Questions to Ask

Is there anything unique in the SSL certificate?

Do any of the certificates overlap with infrastructure not found through DNS data?

How often is the SSL certificate being changed?

Key Take-Aways

What’s important to take away from this example is how quickly an analyst can focus their research on a domain that is otherwise unknown to them. Simply running a search, making a couple calculated clicks and noting conclusions could reveal a much larger threat than anticipated. For more details on performing threat infrastructure analysis, check out our training materials and “Know Your Foe” series.

Additional Learning

Know Your Foe blog series

Threat Infrastructure Analysis Pitfalls

What are common analysis pitfalls? Threat infrastructure analysis is full of dead ends and wrong turns. In our “Know Your Foe” series, we outline common pitfalls for certain datasets.

Common Pitfalls of Threat Infrstructure Analysis

PassiveTotal makes discovering connections amongst data sets easy, but as an analyst, it’s not always clear what’s actually malicious and what’s not. To further complicate the process, some common mistakes can waste resources for the analyst. The founders of PassiveTotal addressed many of these issues in a blog series titled, “Know your Foe”. Below are the articles in the series:

What is Passive DNS? Learn more about passive DNS, how it’s collected, why it’s useful for analysts and the right questions to ask when performing an investigation.

What is Passive DNS?

Passive DNS is a system of record that stores DNS resolution data for a given location, record and time period. To best understand passive DNS, one must first understand how DNS works and its value to Internet users. One analogy for DNS is the contacts application on your mobile phone. Rather than remember your friend’s phone number, you simply assign the number to a contact name and use the name to place calls to that number.

DNS works like a contact application for the Internet. Instead of having to remember IP addresses for all the websites you wish to access, DNS makes them available using domain names which are arguably easier to remember and less likely to change.

For example, let’s take passivetotal.org. At the time of writing this page, if we query passivetotal.org, we will be returned back the IP address of 45.55.77.126. In DNS, this is known as an “A” record and is one of many different record types including, but not limited to AAAA (IPv6), MX (mail), NS (nameserver), and TXT (text). Each record type is used for a different purpose and in theory, could be stored within a passive DNS database.

Passive DNS is having a historical repository of DNS data for a portion of the Internet.

— PassiveTotal Co-Founder Brandon Dixon

To collect this DNS information, a sensor is typically installed on the local network and set up to receive DNS requests as they happen. The sensor will only record DNS traffic that occurs on the local network, and not for the entire Internet. However, programs such as RiskIQ’s DNSIQ allow organizations to install a sensor on their network that reports back to RiskIQ and in exchange, the organization gains access to all the passive DNS traffic inside the central repository.

So why do we need a database of DNS data? Doesn’t DNS keep track of changes? Yes and no. DNS records can and will change often, but there’s no centralized historical repository. Once a change has been made to a DNS record, it will propagate across the Internet and the previous record will be gone forever. Imagine you get a breach notification for your network. Listed in the notification is a domain name and time period. The first logical question may be to ask what IP address that domain was pointing to at the time of the breach and if any other domains were pointing there too. Without a historical repository, you wouldn’t be able to know all the domains pointing to that IP address.

Storing this data in a database gives analysts insight as to how a particular domain names changes over time and provides a way to identify other related domains and IP addresses. In the breach notification example, an analyst could take the domain, search for it within passive DNS and identify the history of IP addresses it resolved to over time. Those IP addresses could then be queried to find more domains that may be related to the larger attack.

Analytical Leads

Historical repository of domains and IP addresses that could show overlap between values
Provides a method to get second order domains and IP addresses that may be related to your original query
Identifies subdomains associated with a particular query potentially revealing target details or more suspicious infrastructure

Questions to Ask Yourself

Do the passive DNS results line up with the time period I am interested in?

Are there other data points (WHOIS, SSL Certificates, etc.) that could be used to improve a connection point?

Have there been many changes to the domain or IP address over time?

Does it appear like the domain or IP address is part of a shared hosting network?

What is WHOIS? Learn more about WHOIS, why it’s useful for analysts and the right questions to ask when performing an investigation.

What is WHOIS?

Thousands of times a day, domains are bought and/or transferred between individuals. This process is easy and only takes a few minutes and roughly $7 depending on the registrar provider. Beyond payment details, you must provide additional personal information, some of which gets stored as part of a WHOIS record once the domain has been setup.

WHOIS is a protocol that allows anyone to query for information about a domain, IP address, or subnet. One of the most common functions for WHOIS in threat infrastructure research is to identify or connect disparate entities based on unique data shared within WHOIS records. If you were reading carefully or have ever purchased a domain yourself, you may have noticed that the content requested from the registrars is never verified. In fact, you could have put anything in the record (and a lot of people do) which would then be publicly available.

Each WHOIS record has a number of different sections, all of which could include different information. Commonly found sections include “registrar”, “registrant”, “administrator” and “technical” with each potentially corresponding to a different contact for the record. Often, this data is duplicated across sections, but in some cases, there may be slight discrepancies especially if someone entering the data made a mistake. When viewing WHOIS information within PassiveTotal, you will see a condensed record that de-duplicates any data and notates which part of the record it came from. This condensed record greatly speeds up the analyst workflow and avoids any overlooking of data.

Analytical Leads

Attack timeline analysis based on domain registration and expiration

Leverage history (hosting/record) to identify trends or specific patterns

Connect different domains and IP addresses using fields within the record

Questions to Ask Yourself

How old is the domain?

Is the information privacy protected?

Does any of the data appear to be unique?

What name servers are used?

Is there any history?

What are SSL Certificates for connections? Identify how SSL Certificates can be used for better correlation and move beyond just protecting your data within the browser.

SSL Certificates for Connections

When browsing the web, SSL certificates are everywhere. You may only see them as the small locks inside of your browser bar, but beyond securing your data, certificates are a great way for analysts to connect disparate network infrastructure. Modern scanning techniques allow us to perform data requests against every node on the Internet in a matter of hours, so we can easily associate a certificate to the IP address hosting it on a regular basis.

Much like a WHOIS record, SSL certificates require user-supplied information to generate the final product. Aside from the domain the SSL certificate is being created for (unless self-signed), any additional information can be made up by the user. As analysts, where we see the most value from SSL certificates is not necessarily in the unique data someone may use when generating the certificate, but where it’s hosted.

To access an SSL certificate, it needs to be associated with a web server and exposed through a particular port (most often 443). Using mass Internet scans on a weekly basis, it’s possible to scan all IP addresses and obtain any certificate being hosted to build a historic repository of certificate data. Having a database of IP address to SSL certificate mappings provides analysts with a way to identify overlap in infrastructure.

To further illustrate this concept, imagine someone has setup a server with a self-signed SSL certificate. After several days, defenders become wise to their infrastructure and block the web server hosting malicious content. Instead of destroying all their hard work, the actor merely copies all the contents (including the SSL certificate) and places them on a new server. As an analyst, a connection can now be made using the unique SHA-1 value of the certificate to say that both web servers (one blocked, one unknown) are connected in some way.

What makes SSL certificates more valuable is that they can make connections that passive DNS or WHOIS data may miss. This means more ways of correlating potential malicious infrastructure and identifying potential operational security failures. PassiveTotal has collected over 30 million certificates from 2013 until present day and provides analyst with the tools to make correlations on certificate content and history.

Analytical Leads

Identifies additional infrastructure based on a shared certificate

May identify connections where WHOIS or DNS data come up with nothing

Data within the certificate may overlap with other certificates revealing more infrastructure

Questions to Ask Yourself

Is the SSL certificate expired?

Does the SSL certificate belong to a content provider?

Does any of the data appear to be unique?

Is there any results overlap with passive DNS or WHOIS?

Has the certificate been used on other hosts?

How do analysts drive research? Learn more about active DNS, how it’s collected, why it’s useful for analysts and the right questions to ask when performing an investigation.

Analyst-Driven Research

Ever find yourself coming across familiar looking infrastructure, but can’t remember where or why or when you saw it? More importantly, are you able to remember if it were good, bad or just a figment of your imagination? Yeah, we’ve been there too and that’s one of the primary reasons PassiveTotal included the ability for analysts to classify a domain or IP address within the platform.

When responding to incidents, client requests or what feels like a never-ending event queue, any time that can be saved is important. Classifications are an easy one-click solution that persists your knowledge, augments your future research and provides insight to others within your team. If you aren’t classifying your queries, maybe it’s time to take another look.

Now, you don’t need to remember if an indicator is malicious or not — just classify it. PassiveTotal allows users to classify a domain or IP address as malicious, suspicious, non-malicious or unknown. Simply clicking one of the radio buttons marks the item and preserves your classification, so that if you stumble across the same infrastructure in the future, you won’t have to guess its state. While it seems inconsequential, having your existing classification show up on a query means your workflow is not being disrupted which ultimately results in time saved.

Research has shown that our brains are capable of processing entire images in as little as 13 milliseconds. Think about that, entire images in less than a second; imagine how quickly it can process just a single row of color. Aside from providing a text version of classifications, we present them using visual cues, so that as you continue your research, it’s extremely clear that not only has something been classified, but also what particular value was chosen. To do this, we choose to represent each classification value as a particular color. Malicious values are highlighted red, suspicious as yellow, non-malicious as green and unknown as white. Hypothetically, if you use classifications, you’ll be able to process your existing research in less than a second. Pair that with existing knowledge, and there’s even more time saved.

If you are fortunate enough to work with a team, then you already know the challenges to keeping everyone in sync even if they are in the same location. Even worse, what happens when an analyst leaves the company? More often than not, when an analyst leaves, so does their knowledge. If your organization is using PassiveTotal Enterprise and our classifications, this is no longer an issue. Need to know what your co-worker is analyzing? Take a look at the teamstream to get a quick glimpse of what others are doing. Curious if someone in your organization already reviewed a particular domain? Just go run a query and look for the classification value. Working together happens seamlessly within PassiveTotal which means less time talking and more time searching.

With classifications, a single click or POST to our API takes your knowledge and instantly distills it into actionable feedback within PassiveTotal. In a field where time is precious, why wouldn’t you want to save more? Persisting your analysis back within PassiveTotal is guaranteed to improve your and your team’s workflow.

Analytical Leads

Provides additional context to indicators that may be linked to your original query

Aids analysts in discovering a larger narrative around the threat

Could help an analyst find malware or other artifacts

Shows 3rd party perspectives and could be used to begin a conversation with another organization

Questions to Ask Yourself

How does the indicator I am interested in related to the OSINT?

Are the OSINT claims backed up using data?

Is the OSINT provided by an individual, trusted group or larger organization?

Does there appear to be any misleading material in the OSINT?

What is open source intelligence? Learn more about open source intelligence, how it’s made available, why it’s useful for analysts and the right questions to ask when performing an investigation.

What is open source intelligence?

Open source intelligence (OSINT) is data that can be found publically online and freely available for use inside your organization. This data is often produced by individuals or companies and is either given away for marketing purposes or just as a way to share research. While great content can easily be found online, it may not be a full replacement for paid intelligence services. Some OSINT may draw incorrect conclusions or could be missing significant analysis, so any data collected should be processed before applying within your organization.

There’s no shortage of papers or blogs detailing the threats that plague organizations today and those data sources are ripe with indicators of compromise. In many cases, these listings of indicators manifest themselves in static data feeds that are often fed into a rule generator or device capable of automated blocking. Given the potential for mistakes, we feel these feeds are best applied in the context of performing research.

PassiveTotal users are able to see OSINT data when querying within the platform in two ways: tags and a tab attributing those tag values back to the source of information. Additionally, OSINT data is available through the API in the form of tags on a particular domain or IP address. Those looking to research without the OSINT data can deactivate the source from within the API Associations page.

The addition of OSINT as another source within PassiveTotal not only provides additional context, but also augments the user’s research process. As pivots are made within PassiveTotal, users can instantly glean areas of interest based on what values are tagged and what those tags say. Analysts no longer need to worry about what was publically reported, since it’s always there as they research.

Analytical Leads

Provides additional context to indicators that may be linked to your original query

Aids analysts in discovering a larger narrative around the threat
Could help an analyst find malware or other artifacts

Shows 3rd party perspectives and could be used to begin a conversation with another organization

Questions to Ask

How does the indicator I am interested in related to the OSINT?
Are the OSINT claims backed up using data?

Is the OSINT provided by an individual, trusted group or larger organization?

Does there appear to be any misleading material in the OSINT?

What is active DNS? Learn more about active DNS, how it’s collected, why it’s useful for analysts and the right questions to ask when performing an investigation.

What is active DNS?

A less commonly heard term in information security is “active DNS” unlike its counterpart, passive DNS. If you aren’t familiar with passive DNS, go take a look here before reading on. Active DNS matches passive DNS in every way except for how it’s collected. Unlike passive DNS, where someone on the monitored network segment needs to make a request for data, active DNS just forces data requests to happen.

One the greatest benefits to an active DNS approach is that you, the end user, can control how often lookups are completed and which DNS server to use when performing them. Having this capability unlocks the ability for anyone to collect data and derive their own historical view of a given domain or IP address.

Another benefit to active DNS is the ability to brute force or come up with a list of frequently used subdomains to figure out if any of them are resolving. This process is fast and can be invaluable in providing additional data points that may have largely gone undiscovered had the request not been made naturally.

It’s worth noting that while active DNS collection has numerous benefits, it also has some significant drawbacks. Mainly, as requests are made to a given resource, it’s plausible that those running the infrastructure could be recording your queries and identify that you are aware of their servers. Wise operators may decide to block your addresses, try to infect you or make changes to their infrastructure (abandoning domains, registering new ones, changing IP addresses) that could leave you in the dark.

Analytical Leads

Forces discovery of infrastructure that may not show up in passive DNS

Identification of actors changing tactics based on active DNS probing

Discovery of multi-level subdomains that could reveal targeting or new infrastructure

Questions to Ask

Are identified subdomains specific or general?

Does the same resolution response come back no matter what DNS server is used?